Pages

A Microsoft security update fixes two critical vulnerabilities in XML Core Services that could be used by attackers in drive-by attack campaigns. But, the software giant did not address an Internet Explorer zero-day vulnerability being actively targeted by attackers.

Microsoft issued two critical bulletins and five important bulletins, addressing 12 vulnerabilities in Microsoft Windows, Office Developer Tools and Windows Server as part of its January 2013 Patch Tuesday security updates.

The two critical flaws in XML Core Services can be remotely exploited by an attacker, who exploits the flaws by tricking users into visiting a malicious Web page, infecting them with data stealing malware. The update, outlined in bulletin MS13-002, addresses the way the protocol parses XML content. It affects all supported versions for Microsoft Windows and Office as well as Developer Tools and Server Software.

It's very likely that drive-by attacks will be set up to detect vulnerable systems, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Attackers will not have a hard time reverse engineering the vulnerabilities because previous coding errors in XML Core Services were patched in 2012, he said. "It wouldn't be difficult for someone to do the same analysis, find the vulnerabilities and use the same infrastructure to exploit the problem again," Kandek said.

Patching administrators should be careful when testing and deploying the update because a lot of systems are impacted, according to Kandek. Newly installed applications can also potentially introduce an older version of the XML library, reintroducing the flaws, he said.

Noticeably absent, according to patching experts, is a security update addressing an Internet Explorer zero-day vulnerability. Microsoft acknowledged that there have been reports of ongoing attacks targeting the error. The attacks have been linked by Symantec researchers to the Elderwood gang, known for cyberespionage activities and intellectual property theft. Qualys' Kandek said he wouldn't be surprised if Microsoft issued an emergency, out-of-band update addressing the flaw because proof-of-concept code is publicly available, making more widespread attacks possible. Pen testers maintaining the Metasploit framework have also released a module for the attack tool.

Researchers have found a way to bypass the automated workaround issued by Microsoft, making the attack more dangerous, said Jason Miller, manager of research and development at VMware. The issue is rated important and affects all versions of Windows. "Hearing that makes me think that they'll want to accelerate the release," Miller said. "It's difficult for them to pull quick turnaround because we're probably dealing with multiple vulnerabilities."

Miller urged users of IE to install the automated workaround or upgrade to IE 9, as well as recommended updating signatures for antivirus, because most security firms can detect malware attempting to exploit the flaw, he said.